Minimizing Cyber Attacks on Government from Unverified Software
Cyber Attacks on Government are on the Rise
Cyber security attacks are on the rise, and unfortunately government is an all too common target. One study found 60% of cyber attacks that occurred from January – June 2019, targeted government. Of the “successful” cyber attacks during that same time period, 70% were on government.
Although many government breaches go unreported by the media, there are some that have received attention.
*Values representative of reported hard dollar losses as a result of cyber breaches. Soft dollar costs are not reflected in this graph.
These cyber attacks on government cost taxpayers millions of dollars and countless staff time lost, but also have the potential to expose sensitive citizen information, such as Personally Identifiable Information (PII) and Protected Health Information (PHI). Both are common data hosted on government systems and third-party cloud solutions.
State and local governments have begun to adopt policies that require third-party cloud solutions to meet some level of security threshold. However, less than 3% of state and local governments have practices in place to validate the security of third-party cloud solutions.
Securing Government Data & Systems
As government works to secure its systems, it cannot ignore the potential risks exposed when working with unsecured cloud vendors. A recent study examined reports of data breaches in 2018 and found that “61% of U.S. data breaches occurred as a result of unsecured third-party cloud solutions.”
The federal government took action to address this serious problem and developed FedRAMP, the Federal Risk and Authorization Management Program. This program was created for the sole purpose of verifying a cloud provider’s cyber security posture. FedRAMP’s mission is to “simplify security for the digital age by providing a standardized approach to security for the cloud.”
With FedRAMP, a Third-Party Assessment Organization, or 3PAO, is used to verify a vendor’s claim that they meet best practices based on the National Institute for Standards and Technology (NIST) Cyber Security Framework. To be FedRAMP authorized, a vendor must have a federal contract of a certain threshold. For a federal agency to contract with a cloud service, the vendor must be FedRAMP authorized.
State governments are beginning to explore how to also address cyber security and cloud solutions. Many state governments incorporate requirements in RFPs and contracts requiring vendors to meet the NIST Cyber Security Framework. However, less than 3% of the time do states verify that vendors comply with the requirement.
As many states grapple with how to manage this risk and the need for verification, a few states are taking steps. Virginia took the largest step in protecting their cyber security with the creation of CyberVirginia, an agency similar in nature to FedRAMP. Other states, such as Tennessee and Texas, have contracted with 3PAOs to verify NIST compliance of certain cloud providers. How states will verify vendor compliance with NIST standards is the question of the day.
Considerations for State & Local Government
1. States Cyber Risk Increases with Each Unverified Cloud Award.
States can reduce unnecessary risks by moving toward a “Trust but Verify” contracting approach with each new contract awarded.
2. Internal Accreditation Exposes State.
Utilizing a 3PAO accreditation provides expert oversight to mitigate the risk of protests for states.
3. Budget & Resource Allocation Prevent Verification
Rather than create 50 unique verification methods, there could be potential for states to find cost savings and efficiencies by working together through a consortium which could leverage 3PAO’s that can validate providers and acceptance of those credentials by partner states.
Our team is available to assist states and state organizations as they work to find the most efficient process for ensuring NIST compliance and a safer cyber environment for all.